"Financially motivated attackers will take any data they can find," says Corbin Del Carlo, regional leader of Security and Privacy Services at McGladrey. "One company's Internet footprint looks the same as another to anyone interested in finding something of value, whether it's credit information, personnel information, intellectual property such as engineering drawings or processes, technology or other industrial assets. Size does not matter; information does."
Consequences of Data Breach May Take Time to Surface
Kurek notes that in one of the focus groups McGladrey held for the survey, a mid-market B2B manufacturer confided that its systems had been compromised just two weeks before the focus group.
"This company does a lot of sophisticated engineering for machine parts," she says. "They have a lot of patents and intellectual property."
While the company doesn't have much in the way of consumer data, the compromised databases did have "very sensitive information" such as technology patents, Kurek says, and the business doesn't know what effect the illicit access will have on its business going forward.
"They might not know the impact of that until they see something six months down the road when someone has replicated something that they've patented," she says. "That's really a wake-up call. People need to pay more attention to their data security."
McGladrey says that attackers have been successful at accessing information in all organizations, regardless of size. And the reason is typically weak or stolen access credentials.
"Attackers target the lowest hanging fruit to get access to data quickly and easily," the report says. "Companies need to take proactive steps to minimize their security risks and, as a result, mitigate any potential financial losses and compromised reputations."
Efficacy of Risk Management Depends on Definition of Risk
McGladrey did find that a majority of those surveyed (65 percent) have an IT risk management process in place, and 74 percent of businesses regularly monitor their systems to find threats and attacks that may have occurred. But the efficacy of those programs may come down to how your organization defines risk.
"Some define risk (or the lack thereof) as 'things are running,'" the report notes. "One executive felt that 'as long as the intranet is up, we're fine.'"
The reality is that most businesses today are distributed among several locations. That reality, combined with ever-increasing use of mobile devices, means information is often exchanged outside of firewalls, which increases the risk. Legacy technology can also increase risks.
"Another executive admitted that while they have a reasonable firewall, their business is run on technology from the 1980s: 'No one really understands how the current system works,'" the report says.
Sign up for Computerworld eNewsletters.